Tunnel Restoration and Authentication Cookie Usage Restrictions

You can now enforce additional restrictions on tunnel restoration and authentication cookie usage.
Software Support
: PAN-OS® 9.0 and later releases
If you configure GlobalProtect to enable automatic restoration of the VPN connection after disconnecting and cookie usage for transparent authentication, you can now enforce additional restrictions to provide enhanced security:
  • Automatic restoration of SSL VPN tunnels at the gateway level:
    You can now configure automatic restoration of SSL VPN tunnels at the gateway level. This can be useful if you want to prevent the GlobalProtect app from automatically reestablishing the VPN tunnel only for specific gateways, such as external gateways.
  • Source IP enforcement for authentication cookies:
    You can now configure the GlobalProtect portal or gateway to accept cookies from endpoints only when the IP address of the endpoint matches the original source IP addresses for which the cookie was issued or the IP address of the endpoint matches a specific network IP address range. You can define the network IP address range using a CIDR subnet mask, such as /24 or /32. For example, if an authentication cookie was originally issued to an endpoint with a public source IP address of 201.109.11.10, and the subnet mask of the network IP address range is set to /24, the authentication cookie is subsequently valid on endpoints with public source IP addresses within the 201.109.11.0/24 network IP address range.
These settings provide a more restricted user connection experience.
  • Use the following steps to configure automatic VPN tunnel restoration for a GlobalProtect gateway:
      • To prevent the GlobalProtect app from automatically reestablishing the VPN tunnel for this gateway, select the option to
        Disable Automatic Restoration of SSL VPN
        .
        disable-tunnel-restoration.png
      • To allow the GlobalProtect app to automatically reestablish the VPN tunnel for this gateway, clear the option to
        Disable Automatic Restoration of SSL VPN
        (default).
        enable-tunnel-restoration.png
    1. Save the gateway configuration.
      1. Click
        OK
        .
      2. Commit
        your changes.
  • Use the following steps to configure source IP address enforcement for authentication cookies:
    1. To configure the GlobalProtect portal or gateway to accept cookies only from endpoints with a specific IP address or within a specified IP address range, enable the option to
      Restrict Authentication Cookie Usage (for Automatic Restoration of VPN tunnel or Authentication Override) to
      , and then configure one of the following conditions:
      • If you select
        The original Source IP for which the authentication cookie was issued
        , the authentication cookie is valid only if the public source IP address of the endpoint attempting to use the cookie is the same public source IP address of the endpoint to which the cookie was originally issued.
        source-ip-original.png
      • If you select
        The original Source IP network range
        , the authentication cookie is valid only if the public source IP address of the endpoint attempting to use the cookie is within the designated network IP address range. Enter a
        Source IPv4 Netmask
        or
        Source IPv6 Netmask
        to define the subnet mask of the network IP address range for which the authentication cookie is valid (for example,
        32
        or
        128
        ).
        source-ip-network-range.png
    2. Save the gateway configuration.
      1. Click
        OK
        .
      2. Commit
        your changes.

Recommended For You